Challenges in open, self-sovereign identity
Talk by Tom Marble, http://info9.net/wiki/tmarble/ Seen at FOSSy, 2023
What is it?
Ten Principles of Self-Sovereign Identity by Christopher Allen (he puts on the rebooting “web of trust” conference)
His goals are:
- Share messages and files securely (combat deep fakes)
- Autheniticate with third party services
- non-correlation (prevent identity merging)
- with multiple personas
- Opt-in, discoverable identity (white pages, pub keyservers)
- User friendly and intuitivie (does the right thing)
- Self-hosted or delegated (does not require a third party)
Thought experiment:
- Open every email in a container
- Open every web page in incognito mode
- access via VPN/Tor
Evil32: Attack which generates gpg keys which match the last 32 bits of a target key. Useful to skirting something by unsuspecting folks
Out of scope for him:
- Application transparancy
- FOSS signing
- Micropayments
- “app permissions”/selective disclosure
- legal electronic signatures (e.g. not docusign)
- SPM (filter on authenticated sender)
Current problems / approaches
- email is identity (forgot password)
- human meaningful, but not secure or “decentalized”?
- can easily be spoofed
- x.509 weaknesses, MiTM, Certificate transparency
- DID
- (often) on chain (and blockchain is bad)
- asymmetric ownership/control
- Aren’t good DID resolvers that are open source
- You can solve this in the small, but this isn’t a solution across the whole internet w/o using blockchain (and blockchain is bad)
- DID resolution under specified (DIDweb)
- Managing passwords is hard, so we delegate to big companies or password managers
- surveillance capitalism, “Real Name” policy, DNT (Do not Track) is advisory
DID & VC: Untangling decentralized identifiers and verifiable credentials for the web of trust
Current approaches:
- SQRL: Secure Quick Reliable Login
- FIDO2: like SQRL. Used in WebAuthn, CTAP2=yubikeys
- Passkeys, designed to eliminate the shortcomings of FIDO or single-device credentials
- European Digital Identity (EUDI)
Q: What’s the name of breaking a public key into parts and giving them to a bunch of folks for recovery? A: Key Sharding
Challenge: Zooko’s Triangle
Tech is not sufficient
- Awareness (how do we get people to care?)
- Competition (competing against proprietary solutions & government)
- Leaking Correlation (“self-ssufficiency theater”, Pamela Dingle, Directory of identity standards at Microsoft; It’s hard not to leak correlation info like email, birth date, phone, ssn).
How open source can help
Speaker is currently working on “Betrusted”, an open source/open hardware device which is kinda like a phone, but it’s scoped down just for secure messaging. It’s using “Xous”, a
- yes: wifi
- no: camera, microphone, bluetooth